rack_jwt_aegis 1.0.1 → 1.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6bc9e89c08947641810cb3c0a5aef91c56554dcf44e593abc10cb7b75ebe6478
-  data.tar.gz: bcbd0711caf2bd74d65ede714cf4cf24eb016146fc69e20bfdf76a165d8a009c
+  metadata.gz: 85f1445f011d0e42c075e3777164d61b215aa04b6f78e535db987c3f0e239c6f
+  data.tar.gz: 94fa6e5dd9041709d394e1c42dc5cc938aeb4fb9325218a94cab6352a4a7cf47
 SHA512:
-  metadata.gz: 7d279d25565397a64e45be0b157a01e63ca7c8e688fd1bb3592649cef8a2037380f5c9c1ddad645ad46f2326d5cd8cc279661207371825d26fe0c6cc036dd272
-  data.tar.gz: fe7e42dc37a5dca3a4fe443fc14e0a64178994b20406471ab6139be4e0b8917a663bcc45d29a819749875a9ef4cecd7d85cd8e13ef9cf5b6054ace0be090d540
+  metadata.gz: 0e3e83285e30c8b86efb2977aba6cfeccf728539b689fb80fb658e29ac91e61c455ab48c5793b689293154d3fe985ad6fee71d3b2381261f34b481370c89e8a1
+  data.tar.gz: f42e6cdb32d72f06ef14d7c016cbb7970ad5b04f9626b16cc1bf7a4062cdb6b68a899548e80259bac934622b2adc3080121c2b7e82daa84ab93f2df30ad34e63

data/.yardopts

@@ -1,16 +1,14 @@
 --output-dir doc
 --readme README.md
---markup-provider=kramdown
---markup=markdown
 --main README.md
+--markup=markdown
 --protected
 --private
 --no-private
---title "RackJwtAegis API Documentation"
+--title "RackJwtAegis Rack Middleware API Documentation"
 --charset utf-8
 lib/**/*.rb
 -
 README.md
 LICENSE.txt
 CODE_OF_CONDUCT.md
-adrs/architecture.md

data/CHANGELOG.md

@@ -5,6 +5,16 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.2] - 2025-08-13
+
+### 🔧 Fixed
+
+- Add :validate_tenant_id configuration and incorporate this to the MultiTenantValidator#validate_tenant_id_header
+
+#### Code Quality & Maintenance
+
+- Refactor the Configuration and MultiTenantValidator
+
 ## [1.0.1] - 2025-08-13
 
 ### 🔧 Fixed
@@ -23,7 +33,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 #### Developer Experience
 
 - **Consistent Logging**: Unified debug log format across all components with automatic timestamp formatting
-- **Component Identification**: Automatic component name inference for better log traceability  
+- **Component Identification**: Automatic component name inference for better log traceability
 - **Configurable Log Levels**: Support for info, warn, and error log levels with appropriate output streams
 
 ### 🏗️ Technical Details
@@ -37,7 +47,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 #### Testing & Quality
 
 - **Test Suite**: All 340 tests pass with 975 assertions
-- **Coverage Maintained**: 98.17% line coverage, 92.83% branch coverage  
+- **Coverage Maintained**: 98.17% line coverage, 92.83% branch coverage
 - **RBAC Integration**: Verified all role-based authorization tests pass after refactoring
 - **Zero Regression**: No functional changes, only structural improvements
 

data/README.md

@@ -6,7 +6,7 @@
 [![Ruby Version](https://img.shields.io/badge/ruby-%3E%3D%203.1.0-ruby.svg)](https://www.ruby-lang.org/en/)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 
-JWT authentication middleware for hierarchical multi-tenant Rack applications with 2-level tenant support.
+JWT authentication and authorization middleware for hierarchical multi-tenant Rack applications with 2-level tenant support.
 
 ## Features
 
@@ -46,25 +46,25 @@ Rack JWT Aegis includes a command-line tool for generating secure JWT secrets:
 
 ```bash
   # Generate a secure JWT secret
-  rack-jwt-aegis secret
+  rack_jwt_aegis secret
 
   # Generate base64-encoded secret
-  rack-jwt-aegis secret --format base64
+  rack_jwt_aegis secret --format base64
 
   # Generate secret in environment variable format
-  rack-jwt-aegis secret --env
+  rack_jwt_aegis secret --env
 
   # Generate multiple secrets
-  rack-jwt-aegis secret --count 3
+  rack_jwt_aegis secret --count 3
 
   # Quiet mode (secret only)
-  rack-jwt-aegis secret --quiet
+  rack_jwt_aegis secret --quiet
 
   # Custom length (32 bytes)
-  rack-jwt-aegis secret --length 32
+  rack_jwt_aegis secret --length 32
 
   # Show help
-  rack-jwt-aegis --help
+  rack_jwt_aegis --help
 ```
 
 ### Security Features
@@ -82,6 +82,7 @@ Rack JWT Aegis includes a command-line tool for generating secure JWT secrets:
   # config/application.rb
   config.middleware.insert_before 0, RackJwtAegis::Middleware, {
     jwt_secret: ENV['JWT_SECRET'],
+    validate_tenant_id: true,
     tenant_id_header_name: 'X-Tenant-Id',
     skip_paths: ['/api/v1/login', '/health']
   }
@@ -94,6 +95,7 @@ Rack JWT Aegis includes a command-line tool for generating secure JWT secrets:
 
   use RackJwtAegis::Middleware, {
     jwt_secret: ENV['JWT_SECRET'],
+    validate_tenant_id: true,
     tenant_id_header_name: 'X-Tenant-Id',
     skip_paths: ['/login', '/health']
   }
@@ -126,10 +128,20 @@ RackJwtAegis::Middleware.new(app, {
   jwt_algorithm: 'HS256',  # Default: 'HS256'
 
   # Multi-Tenant Settings
+  validate_tenant_id: true, # Default: false
   tenant_id_header_name: 'X-Tenant-Id',  # Default: 'X-Tenant-Id'
   validate_subdomain: true,     # Default: false
   validate_pathname_slug: true,  # Default: false
 
+  # Default Payload Mapping:
+  payload_mapping: {
+    user_id: :user_id,
+    tenant_id: :tenant_id,
+    subdomain: :subdomain,
+    pathname_slugs: :pathname_slugs,
+    role_ids: :role_ids,
+  },
+
   # Path Configuration
   skip_paths: ['/health', '/api/v1/login'],
   pathname_slug_pattern: /^\/api\/v1\/([^\/]+)\//,  # Default pattern
@@ -172,7 +184,16 @@ RackJwtAegis::Middleware.new(app, {
     payload['role'] == 'admin' || payload['permissions'].include?('read')
   },
 
-  # Flexible Payload Mapping
+  # Payload Mapping defaults:
+  # payload_mapping = {
+  #   user_id: :user_id,
+  #   tenant_id: :tenant_id,
+  #   subdomain: :subdomain,
+  #   pathname_slugs: :pathname_slugs,
+  #   role_ids: :role_ids,
+  # }
+
+  # Flexible Payload Mapping can be customized into:
   payload_mapping: {
     user_id: :sub,                    # Map 'sub' claim to user_id
     tenant_id: :company_group_id,    # Map 'company_group_id' claim
@@ -190,7 +211,7 @@ Rack JWT Aegis provides multiple strategies for multi-tenant authentication:
 ### Subdomain Validation
 
 ```ruby
-# Validates that the JWT's domain matches the request subdomain
+# Validates that the JWT's subdomain claim matches the request's host subdomain
 config.validate_subdomain = true
 ```
 
@@ -206,6 +227,7 @@ config.pathname_slug_pattern = /^\/api\/v1\/([^\/]+)\//
 
 ```ruby
 # Validates the X-Tenant-Id header against JWT payload
+config.validate_tenant_id = true
 config.tenant_id_header_name = 'X-Tenant-Id'
 ```
 
@@ -297,7 +319,7 @@ When RBAC is enabled, the middleware extracts user roles from the JWT payload fo
 ```ruby
 payload_mapping: {
   user_id: :user_id,
-  tenant_id: :tenant_id, 
+  tenant_id: :tenant_id,
   subdomain: :subdomain,
   pathname_slugs: :pathname_slugs,
   role_ids: :role_ids    # Default field for user roles
@@ -311,7 +333,7 @@ The middleware looks for roles in the following priority order:
 1. **Configured Field**: Uses the `role_ids` mapping (e.g., if mapped to `:user_roles`, looks for `user_roles` field)
 2. **Fallback Fields**: If the mapped field is not found, tries these common alternatives:
    - `roles` - Array of role identifiers
-   - `role` - Single role identifier  
+   - `role` - Single role identifier
    - `user_roles` - Array of user role identifiers
    - `role_ids` - Array of role IDs (numeric or string)
 
@@ -341,7 +363,7 @@ The middleware supports flexible role formats:
 # Array of strings (recommended)
 "role_ids": ["123", "456", "admin"]
 
-# Array of integers  
+# Array of integers
 "role_ids": [123, 456]
 
 # Single string

data/Rakefile

@@ -14,19 +14,11 @@ begin
   require 'yard'
   require 'yard/rake/yardoc_task'
 
-  # Load custom GFM configuration if available
-  begin
-    require_relative '.yard/yard_gfm_config'
-  rescue LoadError
-    # GFM config not available, use default markdown processing
-  end
-
   YARD::Rake::YardocTask.new do |t|
     t.files = ['lib/**/*.rb']
     t.options = [
       '--output-dir', 'doc',
       '--readme', 'README.md',
-      '--markup-provider', 'kramdown',
       '--markup', 'markdown'
     ]
     t.stats_options = ['--list-undoc']

data/lib/rack_jwt_aegis/configuration.rb

@@ -49,6 +49,10 @@ module RackJwtAegis
     # @return [Boolean] true if pathname slug validation is enabled
     attr_accessor :validate_pathname_slug
 
+    # Whether to validate tenant id from request header against the tenant id from JWT payload
+    # @return [Boolean] true if tenant id validation is enabled
+    attr_accessor :validate_tenant_id
+
     # Whether RBAC (Role-Based Access Control) is enabled
     # @return [Boolean] true if RBAC is enabled
     attr_accessor :rbac_enabled
@@ -204,6 +208,12 @@ module RackJwtAegis
       config_boolean?(validate_pathname_slug)
     end
 
+    # Check if tenant id validation is enabled
+    # @return [Boolean] true if tenant id validation is enabled
+    def validate_tenant_id?
+      config_boolean?(validate_tenant_id)
+    end
+
     # Check if debug mode is enabled
     # @return [Boolean] true if debug mode is enabled
     def debug_mode?
@@ -261,6 +271,7 @@ module RackJwtAegis
       @jwt_algorithm = 'HS256'
       @validate_subdomain = false
       @validate_pathname_slug = false
+      @validate_tenant_id = false
       @rbac_enabled = false
       @tenant_id_header_name = 'X-Tenant-Id'
       @pathname_slug_pattern = %r{^/api/v1/([^/]+)/}
@@ -287,7 +298,7 @@ module RackJwtAegis
     end
 
     def validate_jwt_settings!
-      raise ConfigurationError, 'jwt_secret is required' if jwt_secret.nil? || jwt_secret.empty?
+      raise ConfigurationError, 'jwt_secret is required' if jwt_secret.to_s.strip.empty?
 
       valid_algorithms = ['HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512']
       return if valid_algorithms.include?(jwt_algorithm)
@@ -338,17 +349,23 @@ module RackJwtAegis
     end
 
     def validate_multi_tenant_settings!
-      if validate_pathname_slug? && pathname_slug_pattern.nil?
-        raise ConfigurationError, 'pathname_slug_pattern is required when validate_pathname_slug is true'
-      end
-
       if validate_subdomain? && !payload_mapping.key?(:subdomain)
         raise ConfigurationError, 'payload_mapping must include :subdomain when validate_subdomain is true'
       end
 
-      return unless validate_pathname_slug? && !payload_mapping.key?(:pathname_slugs)
+      if validate_tenant_id?
+        error_msg = []
+        error_msg << 'payload_mapping must include :tenant_id' unless payload_mapping.key?(:tenant_id)
+        error_msg << 'tenant_id_header_name is required' if tenant_id_header_name.to_s.strip.empty?
+        raise ConfigurationError, "#{error_msg.join(' and ')} when validate_tenant_id is true" if error_msg.any?
+      end
+
+      return unless validate_pathname_slug?
 
-      raise ConfigurationError, 'payload_mapping must include :pathname_slugs when validate_pathname_slug is true'
+      error_msg = []
+      error_msg << 'payload_mapping must include :pathname_slugs' unless payload_mapping.key?(:pathname_slugs)
+      error_msg << 'pathname_slug_pattern is required' if pathname_slug_pattern.to_s.empty?
+      raise ConfigurationError, "#{error_msg.join(' and ')} when validate_pathname_slug is true" if error_msg.any?
     end
   end
 end

data/lib/rack_jwt_aegis/multi_tenant_validator.rb

@@ -33,83 +33,72 @@ module RackJwtAegis
     # @param payload [Hash] the JWT payload containing tenant information
     # @raise [AuthorizationError] if tenant validation fails
     def validate(request, payload)
-      validate_subdomain(request, payload) if @config.validate_subdomain?
-      validate_pathname_slug(request, payload) if @config.validate_pathname_slug?
-      validate_company_header(request, payload) if @config.tenant_id_header_name
+      validate_subdomain(request, payload)
+      validate_pathname_slug(request, payload)
+      validate_tenant_id_header(request, payload)
     end
 
     private
 
     # Level 1 Multi-Tenant: Top-level tenant (Company-Group) validation via subdomain
     def validate_subdomain(request, payload)
+      return unless @config.validate_subdomain?
+
       request_host = request.host
-      return if request_host.nil? || request_host.empty?
+      return if request_host.to_s.empty?
 
       # Extract subdomain from request host
-      req_subdomain = extract_subdomain(request_host)
+      req_subdomain = extract_subdomain(request_host).to_s.downcase
 
       # Get JWT domain claim
-      jwt_domain_key = @config.payload_key(:subdomain).to_s
-      jwt_domain = payload[jwt_domain_key]
-
-      if jwt_domain.nil? || jwt_domain.empty?
-        raise AuthorizationError, 'JWT payload missing subdomain for subdomain validation'
-      end
-
-      # Extract subdomain from JWT domain
-      jwt_subdomain = extract_subdomain(jwt_domain)
+      jwt_claim = payload[@config.payload_key(:subdomain).to_s].to_s.strip.downcase
+      raise AuthorizationError, 'JWT payload missing subdomain for subdomain validation' if jwt_claim.empty?
 
       # Compare subdomains
-      return if subdomains_match?(req_subdomain, jwt_subdomain)
+      return if req_subdomain.eql?(jwt_claim)
 
       raise AuthorizationError,
             "Subdomain access denied: request subdomain '#{req_subdomain}' " \
-            "does not match JWT subdomain '#{jwt_subdomain}'"
+            "does not match JWT subdomain '#{jwt_claim}'"
     end
 
     # Level 2 Multi-Tenant: Sub-level tenant (Company) validation via URL path
     def validate_pathname_slug(request, payload)
+      return unless @config.validate_pathname_slug?
+
       # Extract company slug from URL path
-      company_slug = extract_company_slug_from_path(request.path)
+      pathname_slug = extract_slug_from_path(request.path)
 
-      return if company_slug.nil? # No company slug in path
+      return if pathname_slug.nil? # No company slug in path
 
       # Get accessible company slugs from JWT
-      jwt_slugs_key = @config.payload_key(:pathname_slugs).to_s
-      accessible_slugs = payload[jwt_slugs_key]
+      accessible_slugs = payload[@config.payload_key(:pathname_slugs).to_s]
 
       if accessible_slugs.nil? || !accessible_slugs.is_a?(Array) || accessible_slugs.empty?
         raise AuthorizationError, 'JWT payload missing or invalid pathname_slugs for company access validation'
       end
 
       # Check if requested company slug is in user's accessible list
-      return if accessible_slugs.include?(company_slug)
+      return if accessible_slugs.map(&:downcase).include?(pathname_slug)
 
       raise AuthorizationError,
-            "Company access denied: '#{company_slug}' not in accessible companies #{accessible_slugs}"
+            "Company access denied: '#{pathname_slug}' not in accessible companies #{accessible_slugs}"
     end
 
     # Company Group header validation (additional security layer)
-    def validate_company_header(request, payload)
-      header_name = "HTTP_#{@config.tenant_id_header_name.upcase.tr('-', '_')}"
-      header_value = request.get_header(header_name)
-
-      return if header_value.nil? # Header not present, skip validation
-
-      # Get company group ID from JWT
-      jwt_company_group_key = @config.payload_key(:tenant_id).to_s
-      jwt_tenant_id = payload[jwt_company_group_key]
+    def validate_tenant_id_header(request, payload)
+      return unless @config.validate_tenant_id?
 
-      raise AuthorizationError, 'JWT payload missing tenant_id for header validation' if jwt_tenant_id.nil?
+      # Get tenant id from request header
+      header_value = request.get_header("HTTP_#{@config.tenant_id_header_name.upcase.tr('-', '_')}").to_s.downcase
+      # Get tenant id from JWT payload
+      jwt_claim = payload[@config.payload_key(:tenant_id).to_s].to_s.strip.downcase
+      raise AuthorizationError, 'JWT payload missing tenant_id for header validation' if jwt_claim.empty?
 
-      # Normalize values for comparison (both as strings)
-      header_value_str = header_value.to_s
-      jwt_value_str = jwt_tenant_id.to_s
-
-      return if header_value_str == jwt_value_str
+      return if !header_value.empty? && header_value.eql?(jwt_claim)
 
       raise AuthorizationError,
-            "Company group header mismatch: header '#{header_value_str}' does not match JWT '#{jwt_value_str}'"
+            "Tenant id header mismatch: header '#{header_value}' does not match JWT '#{jwt_claim}'"
     end
 
     def extract_subdomain(host)
@@ -131,24 +120,9 @@ module RackJwtAegis
       parts.first
     end
 
-    def extract_company_slug_from_path(path)
-      return nil if path.nil? || path.empty?
-
+    def extract_slug_from_path(path)
       # Use configured pattern to extract company slug
-      match = @config.pathname_slug_pattern.match(path)
-      return nil unless match && match[1]
-
-      # Return captured group (company slug)
-      match[1]
-    end
-
-    def subdomains_match?(first_subdomain, second_subdomain)
-      # Handle nil cases
-      return true if first_subdomain.nil? && second_subdomain.nil?
-      return false if first_subdomain.nil? || second_subdomain.nil?
-
-      # Case-insensitive comparison
-      first_subdomain.downcase == second_subdomain.downcase
+      @config.pathname_slug_pattern.match(path.to_s.strip.downcase)&.to_a&.last
     end
   end
 end

data/lib/rack_jwt_aegis/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RackJwtAegis
-  VERSION = '1.0.1'
+  VERSION = '1.0.2'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack_jwt_aegis
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.0.2
 platform: ruby
 authors:
 - Ken C. Demanawa
@@ -44,7 +44,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '3.2'
 description: |-
-  JWT authentication midleware with multi-tenant suport,\
+  JWT authentication and authorization midleware with multi-tenant suport,\
    company validation, and subdomain isolation.
 email:
 - kenneth.c.demanawa@gmail.com
@@ -54,7 +54,6 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".rubocop.yml"
-- ".yard/yard_gfm_config.rb"
 - ".yardopts"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
@@ -101,5 +100,5 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 rubygems_version: 3.6.9
 specification_version: 4
-summary: JWT authentication middleware for multi-tenant Rack applications
+summary: JWT authentication and authorization middleware for multi-tenant Rack applications
 test_files: []

data/.yard/yard_gfm_config.rb

@@ -1,21 +0,0 @@
-# frozen_string_literal: true
-
-# Custom YARD configuration for GitHub Flavored Markdown support
-#
-# This configuration ensures the kramdown-parser-gfm gem is available for
-# proper rendering of fenced code blocks (```language) in YARD documentation.
-#
-# The actual GFM parsing integration is handled by YARD when kramdown is
-# configured with the GFM input parser.
-
-begin
-  require 'kramdown'
-  require 'kramdown-parser-gfm'
-  
-  # Ensure GFM parser is available - YARD will use it automatically
-  # when kramdown processes markdown with input: 'GFM'
-  
-rescue LoadError => e
-  # Fallback gracefully if GFM parser is not available
-  puts "Warning: kramdown-parser-gfm not available, fenced code blocks may not render properly: #{e.message}"
-end